Finding IP of threat blocked via DNS Proxy

SASY-IT — Mon, 11 Aug 2025 06:14:21 GMT

As our PA is configured at the moment, I see some notifications in the threat logs where a request from the Palo DNS proxy has been blocked from looking up something determined to be spyware.

I can't find a matching log anywhere to indicate the IP which made the DNS request to the Palo's DNS proxy. I'd appreciate some direction.

I'm aware some privacy apps use onion, this is just a generic example from the top of my logs. Many other examples which are virtually identical but for other spyware threats, all blocked the same way with no way to track the source.

Example:

Receive Time	Threat/Content Type	Source address	Destination address	NAT Source IP	NAT Destination IP	Application	Source Zone	Destination Zone	URL/Filename	Threat/Content Name
11/08/2025 15:18	spyware	[DNS-Proxy IP]	1.0.0.1	[external IP]	1.0.0.1	dns-base	[guest]	untrust	google.com.onion	Proxy:onion(109010004)
11/08/2025 15:18	spyware	[DNS-Proxy IP]	1.0.0.1	[external IP]	1.0.0.1	dns-base	[guest]	untrust	google.com.onion	Proxy:onion(109010004)
11/08/2025 15:17	spyware	[DNS-Proxy IP]	1.0.0.1	[external IP]	1.0.0.1	dns-base	[guest]	untrust	google.com.onion	Proxy:onion(109010004)

Re: Finding IP of threat blocked via DNS Proxy

reaper — Mon, 18 Aug 2025 09:34:33 GMT

you can switch to DNS sinkhole instead of blocking. This will poison the malicious DNS reply with your own (or Palo's) sinkhole IP and you'll see the original client make connections to that IP as it received a DNS reply and will now try to connect to it

topic Re: Finding IP of threat blocked via DNS Proxy in Next-Generation Firewall Discussions

Finding IP of threat blocked via DNS Proxy

Re: Finding IP of threat blocked via DNS Proxy